fix: allow any image source but disallow base64

backend/internal/middleware/csp_middleware.go

@@ -34,7 +34,7 @@ func (m *CspMiddleware) Add() gin.HandlerFunc {
 			"object-src 'none'; " +
 			"frame-ancestors 'none'; " +
 			"form-action 'self'; " +
-			"img-src 'self' data: blob:; " +
+			"img-src * blob:;" +
 			"font-src 'self'; " +
 			"style-src 'self' 'unsafe-inline'; " +
 			"script-src 'self' 'nonce-" + nonce + "'"

frontend/src/lib/components/form/profile-picture-settings.svelte

@@ -35,12 +35,7 @@
 
 		isLoading = true;
 
-		const reader = new FileReader();
-		reader.onload = (event) => {
-			imageDataURL = event.target?.result as string;
-		};
-		reader.readAsDataURL(file);
-
+		imageDataURL = URL.createObjectURL(file);
 		await updateCallback(file).catch(() => {
 			imageDataURL = cachedProfilePicture.getUrl(userId);
 		});

frontend/src/routes/settings/admin/application-configuration/application-image.svelte

@@ -31,12 +31,7 @@
 		if (!file) return;
 
 		image = file;
-
-		const reader = new FileReader();
-		reader.onload = (event) => {
-			imageDataURL = event.target?.result as string;
-		};
-		reader.readAsDataURL(file);
+		imageDataURL = URL.createObjectURL(file);
 	}
 </script>
 

frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte

@@ -115,9 +115,7 @@
 		} else {
 			logo = input;
 			$inputs.logoUrl && ($inputs.logoUrl.value = '');
-			const reader = new FileReader();
-			reader.onload = (event) => (logoDataURL = event.target?.result as string);
-			reader.readAsDataURL(input);
+			logoDataURL = URL.createObjectURL(input);
 		}
 	}